From owner-freebsd-ipfw Sun Apr 23 9:57:53 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from tomts3-srv.bellnexxia.net (tomts3.bellnexxia.net [209.226.175.141]) by hub.freebsd.org (Postfix) with ESMTP id 5B9ED37B629 for ; Sun, 23 Apr 2000 09:57:50 -0700 (PDT) (envelope-from cybernetik@sympatico.ca) Received: from jordan ([216.209.80.150]) by tomts3-srv.bellnexxia.net (InterMail vM.4.01.02.17 201-229-119) with SMTP id <20000423165748.MPYI24624.tomts3-srv.bellnexxia.net@jordan> for ; Sun, 23 Apr 2000 12:57:48 -0400 From: "Jordan Blanchard" To: Subject: Firewall and the general Network Date: Sun, 23 Apr 2000 12:57:40 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello Everyone.. ok, here's the problem.. I've go one freebsd 3.4 box as my gateway/router/firewall, two win95 machines, and a 2.2.5 and 3.2 freebsd boxs.. I try and use the SIMPLE firewall, but the DNS part isn't working, my connection is via PPPOE... Everything works like a charm with the rc.firewall going in OPEN mode? any suggestions? Jordan cybernetik@sympatico.ca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Apr 23 20: 6: 3 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp11.bellglobal.com (smtp11.bellglobal.com [204.101.251.53]) by hub.freebsd.org (Postfix) with ESMTP id 2544F37B568 for ; Sun, 23 Apr 2000 20:06:00 -0700 (PDT) (envelope-from cybernetik@sympatico.ca) Received: from jordan (HSE-Toronto-ppp89459.sympatico.ca [216.209.34.202]) by smtp11.bellglobal.com (8.8.5/8.8.5) with SMTP id XAA02098; Sun, 23 Apr 2000 23:08:29 -0400 (EDT) From: "Jordan Blanchard" To: "Serg N" Cc: Subject: RE: Firewall and the general Network Date: Sun, 23 Apr 2000 23:02:27 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Importance: Normal In-Reply-To: <000a01bfad6c$29802380$8f01010a@hlt> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG well, I've read the Man files and nothing works... I think that the Firewall is also forcing me to use a proxy... I don't get this.. -----Original Message----- From: Serg N [mailto:serega@fk.lutsk.ua] Sent: Sunday, April 23, 2000 5:38 PM To: Jordan Blanchard Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Firewall and the general Network > > Hello Everyone.. ok, here's the problem.. I've go one freebsd 3.4 box as my > gateway/router/firewall, two win95 machines, and a 2.2.5 and 3.2 freebsd > boxs.. I try and use the SIMPLE firewall, but the DNS part isn't working, > my connection is via PPPOE... Everything works like a charm with the > rc.firewall going in OPEN mode? any suggestions? > I think man will helh you :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Sun Apr 23 23: 0:19 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from fk.lutsk.ua (link.fk.lutsk.ua [212.113.39.14]) by hub.freebsd.org (Postfix) with ESMTP id 62C1237B9D7 for ; Sun, 23 Apr 2000 23:00:15 -0700 (PDT) (envelope-from serega@fk.lutsk.ua) Received: from hlt ([10.1.1.143]) by fk.lutsk.ua (8.10.1/8.10.1) with SMTP id e3NLdqi02133; Mon, 24 Apr 2000 00:39:52 +0300 (EEST) Message-ID: <000a01bfad6c$29802380$8f01010a@hlt> From: "Serg N" To: "Jordan Blanchard" Cc: References: Subject: Re: Firewall and the general Network Date: Mon, 24 Apr 2000 00:37:42 +0300 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > Hello Everyone.. ok, here's the problem.. I've go one freebsd 3.4 box as my > gateway/router/firewall, two win95 machines, and a 2.2.5 and 3.2 freebsd > boxs.. I try and use the SIMPLE firewall, but the DNS part isn't working, > my connection is via PPPOE... Everything works like a charm with the > rc.firewall going in OPEN mode? any suggestions? > I think man will helh you :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 24 5:16:37 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.skyinet.net (mrtg1.ilo.skyinet.net [208.150.132.228]) by hub.freebsd.org (Postfix) with ESMTP id 7022537B6D0 for ; Mon, 24 Apr 2000 05:16:33 -0700 (PDT) (envelope-from fooler@skyinet.net) Message-ID: <39043F05.3CEC10B8@skyinet.net> Date: Mon, 24 Apr 2000 20:33:09 +0800 From: fooler X-Mailer: Mozilla 4.72 [en] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@FreeBSD.ORG Subject: icmp type and code for ipfw Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hello all, i read the man page of ipfw and i only saw icmp type without the code part, is there a patch or newer version of ipfw that support icmp code of a certain icmp type? ipf can do this but i want to use ipfw. tia. fooler. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 24 5:22:11 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 6FF6837BB27 for ; Mon, 24 Apr 2000 05:22:07 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id IAA73622; Mon, 24 Apr 2000 08:21:54 -0400 (EDT) (envelope-from cjc) Date: Mon, 24 Apr 2000 08:21:53 -0400 From: "Crist J. Clark" To: Jordan Blanchard Cc: Serg N , freebsd-ipfw@FreeBSD.ORG Subject: Re: Firewall and the general Network Message-ID: <20000424082153.A73579@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <000a01bfad6c$29802380$8f01010a@hlt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from cybernetik@sympatico.ca on Sun, Apr 23, 2000 at 11:02:27PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Apr 23, 2000 at 11:02:27PM -0400, Jordan Blanchard wrote: > well, I've read the Man files and nothing works... I think that the Firewall > is also forcing me to use a proxy... I don't get this.. "Forcing you to use a proxy?" What do you mean? Anyway, could you send, # ipfw show # netstat -rn # ifconfig -a And if you are running natd(8) or a routing daemon, the relevant info. Then we can probably help analyze your problem. > -----Original Message----- > From: Serg N [mailto:serega@fk.lutsk.ua] > Sent: Sunday, April 23, 2000 5:38 PM > To: Jordan Blanchard > Cc: freebsd-ipfw@FreeBSD.ORG > Subject: Re: Firewall and the general Network > > > > > > Hello Everyone.. ok, here's the problem.. I've go one freebsd 3.4 box as > my > > gateway/router/firewall, two win95 machines, and a 2.2.5 and 3.2 freebsd > > boxs.. I try and use the SIMPLE firewall, but the DNS part isn't working, > > my connection is via PPPOE... Everything works like a charm with the > > rc.firewall going in OPEN mode? any suggestions? > > > I think man will helh you :) > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 24 7:17:25 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from tomts3-srv.bellnexxia.net (tomts3.bellnexxia.net [209.226.175.141]) by hub.freebsd.org (Postfix) with ESMTP id 9E67737BB0A for ; Mon, 24 Apr 2000 07:17:22 -0700 (PDT) (envelope-from cybernetik@sympatico.ca) Received: from jordan ([216.209.34.202]) by tomts3-srv.bellnexxia.net (InterMail vM.4.01.02.17 201-229-119) with SMTP id <20000424141721.RFPB24624.tomts3-srv.bellnexxia.net@jordan> for ; Mon, 24 Apr 2000 10:17:21 -0400 From: "Jordan Blanchard" To: Subject: RE: Firewall and the general Network Date: Mon, 24 Apr 2000 10:17:16 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-reply-to: <20000424082153.A73579@cc942873-a.ewndsr1.nj.home.com> X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2615.200 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Forcing you to use a proxy?" What do you mean? well, when trying to view web pages without a proxy program through my 95 box, it stalls.. Anyway, could you send, # ipfw show 00060 66545 35492707 allow ip from any to any 00100 0 0 divert 8668 ip from any to any via tun0 00100 0 0 allow ip from any to any via lo0 00100 0 0 divert 8668 ip from any to any via tun0 00100 0 0 divert 8668 ip from any to any via tun0 00200 0 0 deny ip from any to 127.0.0.0/8 00210 0 0 deny icmp from any to any via ed0 65535 16 1000 deny ip from any to any # netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 216.209.34.1 UGSc 10 9642 tun0 1 link#2 UC 0 0 ed1 10.10.10/24 link#1 UC 0 0 ed0 10.10.10.12 0:40:5:4d:3d:c8 UHLW 1 2260 ed0 144 10.10.10.120 0:80:c8:36:69:ed UHLW 2 4970 ed0 715 127.0.0.1 127.0.0.1 UH 0 2 lo0 216.209.34.1 216.209.34.202 UH 9 0 tun0 216.209.34.202 127.0.0.1 UH 0 0 lo0 # ifconfig -a ed0: flags=8843 mtu 1500 inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 ether 00:20:18:65:a0:9f ed1: flags=88c3 mtu 1500 inet 1.1.1.1 netmask 0xff000000 broadcast 1.255.255.255 ether 00:00:c0:df:fb:7f tun0: flags=8051 mtu 1492 inet 216.209.34.202 --> 216.209.34.1 netmask 0xffffff00 ppp0: flags=8010 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 :And if you are running natd(8) or a routing daemon, the relevant :info. Then we can probably help analyze your problem. I've got natd runing, from rc.conf.. 138 ?? Is 0:00.00 /sbin/natd -n tun0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 24 7:54:18 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from MailAndNews.com (MailAndNews.com [199.29.68.160]) by hub.freebsd.org (Postfix) with ESMTP id A7BAE37B731 for ; Mon, 24 Apr 2000 07:54:12 -0700 (PDT) (envelope-from mheffner@mailandnews.com) Received: from muriel.penguinpowered.com [208.138.199.76] (mheffner@mailandnews.com); Mon, 24 Apr 2000 10:54:09 -0400 X-WM-Posted-At: MailAndNews.com; Mon, 24 Apr 00 10:54:09 -0400 Content-Length: 1471 Message-ID: X-Mailer: XFMail 1.4.4 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Mon, 24 Apr 2000 10:53:06 -0400 (EDT) Reply-To: Mike Heffner From: Mike Heffner To: Jordan Blanchard Subject: RE: Firewall and the general Network Cc: freebsd-ipfw@freebsd.org Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 24-Apr-2000 Jordan Blanchard wrote: | | "Forcing you to use a proxy?" What do you mean? | | | well, when trying to view web pages without a proxy program through my 95 | box, it stalls.. | | | Anyway, could you send, | | # ipfw show | | 00060 66545 35492707 allow ip from any to any | 00100 0 0 divert 8668 ip from any to any via tun0 | 00100 0 0 allow ip from any to any via lo0 | 00100 0 0 divert 8668 ip from any to any via tun0 | 00100 0 0 divert 8668 ip from any to any via tun0 | 00200 0 0 deny ip from any to 127.0.0.0/8 | 00210 0 0 deny icmp from any to any via ed0 | 65535 16 1000 deny ip from any to any | Well...there doesn't seem to be much sense to those rules. You should probably be able to notice that all traffic is being passed by rule 60 and none is being diverted through natd (that's what the 0's mean). Also, why do you have 3 different divert rules? Here is my suggestion to achieve a basic functioning firewall: 100 allow ip from any to any via lo0 200 deny ip from any to 127.0.0.0/8 300 divert 8668 ip from any to any via tun0 400 allow ip from any to any Later, /**************************************** * Mike Heffner * * Fredericksburg, VA ICQ# 882073 * * Sent at: 24-Apr-2000 -- 10:47:58 EST * * http://my.ispchannel.com/~mheffner * ****************************************/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 24 18:51:50 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 890BE37BC7C for ; Mon, 24 Apr 2000 18:51:37 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA75148; Mon, 24 Apr 2000 21:17:21 -0400 (EDT) (envelope-from cjc) Date: Mon, 24 Apr 2000 21:17:21 -0400 From: "Crist J. Clark" To: Jordan Blanchard Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Firewall and the general Network Message-ID: <20000424211721.A75100@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000424082153.A73579@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from cybernetik@sympatico.ca on Mon, Apr 24, 2000 at 10:17:16AM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Apr 24, 2000 at 10:17:16AM -0400, Jordan Blanchard wrote: > > "Forcing you to use a proxy?" What do you mean? > > > well, when trying to view web pages without a proxy program through my 95 > box, it stalls.. > > > Anyway, could you send, > > # ipfw show > > 00060 66545 35492707 allow ip from any to any > 00100 0 0 divert 8668 ip from any to any via tun0 > 00100 0 0 allow ip from any to any via lo0 > 00100 0 0 divert 8668 ip from any to any via tun0 > 00100 0 0 divert 8668 ip from any to any via tun0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00210 0 0 deny icmp from any to any via ed0 > 65535 16 1000 deny ip from any to any As Mike pointed out, these rules make no sense. They are not the "simple" firewall rules either. > # netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif > Expire > default 216.209.34.1 UGSc 10 9642 tun0 > 1 link#2 UC 0 0 ed1 > 10.10.10/24 link#1 UC 0 0 ed0 > 10.10.10.12 0:40:5:4d:3d:c8 UHLW 1 2260 ed0 144 > 10.10.10.120 0:80:c8:36:69:ed UHLW 2 4970 ed0 715 > 127.0.0.1 127.0.0.1 UH 0 2 lo0 > 216.209.34.1 216.209.34.202 UH 9 0 tun0 > 216.209.34.202 127.0.0.1 UH 0 0 lo0 OK. > # ifconfig -a > ed0: flags=8843 mtu 1500 > inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 > ether 00:20:18:65:a0:9f > ed1: flags=88c3 mtu 1500 > inet 1.1.1.1 netmask 0xff000000 broadcast 1.255.255.255 > ether 00:00:c0:df:fb:7f > tun0: flags=8051 mtu 1492 > inet 216.209.34.202 --> 216.209.34.1 netmask 0xffffff00 > ppp0: flags=8010 mtu 1500 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 OK. > :And if you are running natd(8) or a routing daemon, the relevant > :info. Then we can probably help analyze your problem. > > I've got natd runing, from rc.conf.. > > 138 ?? Is 0:00.00 /sbin/natd -n tun0 If you are doing NAT through PPP, you should probably use the '-nat' option in ppp(8) rather than the natd(8) daemon. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Apr 24 20:31:20 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from smtp11.bellglobal.com (smtp11.bellglobal.com [204.101.251.53]) by hub.freebsd.org (Postfix) with ESMTP id 6B4AD37B513 for ; Mon, 24 Apr 2000 20:31:16 -0700 (PDT) (envelope-from cybernetik@sympatico.ca) Received: from jordan (HSE-Toronto-ppp89908.sympatico.ca [216.209.36.143]) by smtp11.bellglobal.com (8.8.5/8.8.5) with SMTP id XAA21658 for ; Mon, 24 Apr 2000 23:37:08 -0400 (EDT) From: "Jordan Blanchard" Cc: Subject: RE: Firewall and the general Network Date: Mon, 24 Apr 2000 23:31:06 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 In-Reply-To: <20000424211721.A75100@cc942873-a.ewndsr1.nj.home.com> Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > 00060 66545 35492707 allow ip from any to any > 00100 0 0 divert 8668 ip from any to any via tun0 > 00100 0 0 allow ip from any to any via lo0 > 00100 0 0 divert 8668 ip from any to any via tun0 > 00100 0 0 divert 8668 ip from any to any via tun0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00210 0 0 deny icmp from any to any via ed0 > 65535 16 1000 deny ip from any to any :As Mike pointed out, these rules make no sense. They are not the :"simple" firewall rules either. Below is the new firewall.. 00100 divert 8668 ip from any to any via ed1 00100 allow ip from any to any via tun0 00130 allow tcp from any to any established 00140 allow ip from 10.10.10.0/24 to 1.1.1.1 00200 deny ip from 10.10.10.0/24 to any in recv ed1 00200 allow tcp from any to any 25 00300 deny ip from 1.1.1.0/24 to any in recv ed0 00315 allow udp from any 53 to any via tun0 00320 allow tcp from any to 1.1.1.1 110 00340 allow log logamount 10 udp from any to 10.10.10.1 123 00400 deny ip from 192.168.0.0/16 to any via ed1 00400 allow udp from any to 1.1.1.1 7070 00400 allow udp from any to 1.1.1.1 6770 00400 allow udp from any to 1.1.1.1 6070 00400 allow tcp from any to 1.1.1.1 554 00400 allow udp from any to 1.1.1.1 4000 00410 deny tcp from any to any 79 00420 deny ip from any to 127.0.0.0/8 00430 unreach host icmp from any to any via ed0 00440 deny log logamount 10 tcp from 10.10.10.12 to 1.1.1.1 20-23 00500 deny ip from any to 192.168.0.0/16 via ed1 00600 deny ip from 172.16.0.0/12 to any via ed1 00700 deny ip from any to 172.16.0.0/12 via ed1 00800 deny ip from 10.0.0.0/8 to any via ed1 00900 deny ip from any to 10.0.0.0/8 via ed1 01000 allow tcp from any to any established 01100 allow tcp from any to 1.1.1.1 25 setup 01200 allow tcp from any to 1.1.1.1 53 setup 01300 allow tcp from any to 1.1.1.1 80 setup 01400 deny log logamount 10 tcp from any to any in recv ed1 setup 01500 allow tcp from any to any setup 01600 allow udp from any 53 to any via ed1 01700 allow udp from any to any 53 via ed1 01800 allow udp from any 123 to any via ed1 01900 allow udp from 10.0.0.0/8 to any 123 via ed1 10155 deny log logamount 10 tcp from any to 10.10.10.1 2049 10160 deny log logamount 10 icmp from any to any via ed0 10160 deny log logamount 10 udp from any to 1.1.1.1 10200 allow ip from any to any 65535 deny ip from any to any as you now have noticed, there's been quite a few changes... There's only one problem now.. the ip 10.10.10.12, I've stop incoming telnets and ftps but can't telnet out??? should I be using the pass command? > # netstat -rn > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif > Expire > default 216.209.34.1 UGSc 10 9642 tun0 > 1 link#2 UC 0 0 ed1 > 10.10.10/24 link#1 UC 0 0 ed0 > 10.10.10.12 0:40:5:4d:3d:c8 UHLW 1 2260 ed0 144 > 10.10.10.120 0:80:c8:36:69:ed UHLW 2 4970 ed0 715 > 127.0.0.1 127.0.0.1 UH 0 2 lo0 > 216.209.34.1 216.209.34.202 UH 9 0 tun0 > 216.209.34.202 127.0.0.1 UH 0 0 lo0 OK. > # ifconfig -a > ed0: flags=8843 mtu 1500 > inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 > ether 00:20:18:65:a0:9f > ed1: flags=88c3 mtu 1500 > inet 1.1.1.1 netmask 0xff000000 broadcast 1.255.255.255 > ether 00:00:c0:df:fb:7f > tun0: flags=8051 mtu 1492 > inet 216.209.34.202 --> 216.209.34.1 netmask 0xffffff00 > ppp0: flags=8010 mtu 1500 > lo0: flags=8049 mtu 16384 > inet 127.0.0.1 netmask 0xff000000 :OK. > :And if you are running natd(8) or a routing daemon, the relevant > :info. Then we can probably help analyze your problem. > > I've got natd runing, from rc.conf.. > > 138 ?? Is 0:00.00 /sbin/natd -n tun0 :If you are doing NAT through PPP, you should probably use the '-nat' :option in ppp(8) rather than the natd(8) daemon. well, I have put in the nat enable yes command into the ppp.conf and I don't see ppp -auto -nat pppoe I see 95 ?? Ss 0:01.50 ppp -auto -quiet pppoe could it be something in my ppp.conf -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Tue Apr 25 18:40:29 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 7D96337B5A5 for ; Tue, 25 Apr 2000 18:40:23 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA15708; Tue, 25 Apr 2000 21:39:54 -0400 (EDT) (envelope-from cjc) Date: Tue, 25 Apr 2000 21:39:54 -0400 From: "Crist J. Clark" To: Jordan Blanchard Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Firewall and the general Network Message-ID: <20000425213953.C13245@cc942873-a.ewndsr1.nj.home.com> Reply-To: cjclark@home.com References: <20000424211721.A75100@cc942873-a.ewndsr1.nj.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from cybernetik@sympatico.ca on Mon, Apr 24, 2000 at 11:31:06PM -0400 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, Apr 24, 2000 at 11:31:06PM -0400, Jordan Blanchard wrote: > > 00060 66545 35492707 allow ip from any to any > > 00100 0 0 divert 8668 ip from any to any via tun0 > > 00100 0 0 allow ip from any to any via lo0 > > 00100 0 0 divert 8668 ip from any to any via tun0 > > 00100 0 0 divert 8668 ip from any to any via tun0 > > 00200 0 0 deny ip from any to 127.0.0.0/8 > > 00210 0 0 deny icmp from any to any via ed0 > > 65535 16 1000 deny ip from any to any > > :As Mike pointed out, these rules make no sense. They are not the > :"simple" firewall rules either. > > Below is the new firewall.. > > 00100 divert 8668 ip from any to any via ed1 > 00100 allow ip from any to any via tun0 > 00130 allow tcp from any to any established > 00140 allow ip from 10.10.10.0/24 to 1.1.1.1 > 00200 deny ip from 10.10.10.0/24 to any in recv ed1 > 00200 allow tcp from any to any 25 > 00300 deny ip from 1.1.1.0/24 to any in recv ed0 > 00315 allow udp from any 53 to any via tun0 > 00320 allow tcp from any to 1.1.1.1 110 > 00340 allow log logamount 10 udp from any to 10.10.10.1 123 > 00400 deny ip from 192.168.0.0/16 to any via ed1 > 00400 allow udp from any to 1.1.1.1 7070 > 00400 allow udp from any to 1.1.1.1 6770 > 00400 allow udp from any to 1.1.1.1 6070 > 00400 allow tcp from any to 1.1.1.1 554 > 00400 allow udp from any to 1.1.1.1 4000 > 00410 deny tcp from any to any 79 > 00420 deny ip from any to 127.0.0.0/8 > 00430 unreach host icmp from any to any via ed0 > 00440 deny log logamount 10 tcp from 10.10.10.12 to 1.1.1.1 20-23 > 00500 deny ip from any to 192.168.0.0/16 via ed1 > 00600 deny ip from 172.16.0.0/12 to any via ed1 > 00700 deny ip from any to 172.16.0.0/12 via ed1 > 00800 deny ip from 10.0.0.0/8 to any via ed1 > 00900 deny ip from any to 10.0.0.0/8 via ed1 > 01000 allow tcp from any to any established > 01100 allow tcp from any to 1.1.1.1 25 setup > 01200 allow tcp from any to 1.1.1.1 53 setup > 01300 allow tcp from any to 1.1.1.1 80 setup > 01400 deny log logamount 10 tcp from any to any in recv ed1 setup > 01500 allow tcp from any to any setup > 01600 allow udp from any 53 to any via ed1 > 01700 allow udp from any to any 53 via ed1 > 01800 allow udp from any 123 to any via ed1 > 01900 allow udp from 10.0.0.0/8 to any 123 via ed1 > 10155 deny log logamount 10 tcp from any to 10.10.10.1 2049 > 10160 deny log logamount 10 icmp from any to any via ed0 > 10160 deny log logamount 10 udp from any to 1.1.1.1 > 10200 allow ip from any to any > 65535 deny ip from any to any > > as you now have noticed, there's been quite a few changes... There's only > one problem now.. the ip 10.10.10.12, I've stop incoming telnets and ftps > but can't telnet out??? should I be using the pass command? Do you mean you can't telnet "out" to 1.1.1.1 from rule 440? I'm still pretty confused about some of the rules, 130 and 1000? 200 and 1100? And rule 420!?!? > > # netstat -rn > > Routing tables > > > > Internet: > > Destination Gateway Flags Refs Use Netif > > Expire > > default 216.209.34.1 UGSc 10 9642 tun0 > > 1 link#2 UC 0 0 ed1 ^ Didn't catch this before. You should not really be using that network. > > 10.10.10/24 link#1 UC 0 0 ed0 > > 10.10.10.12 0:40:5:4d:3d:c8 UHLW 1 2260 ed0 > 144 > > 10.10.10.120 0:80:c8:36:69:ed UHLW 2 4970 ed0 > 715 > > 127.0.0.1 127.0.0.1 UH 0 2 lo0 > > 216.209.34.1 216.209.34.202 UH 9 0 tun0 > > 216.209.34.202 127.0.0.1 UH 0 0 lo0 > > OK. > > > # ifconfig -a > > ed0: flags=8843 mtu 1500 > > inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 > > ether 00:20:18:65:a0:9f > > ed1: flags=88c3 mtu 1500 > > inet 1.1.1.1 netmask 0xff000000 broadcast 1.255.255.255 > > ether 00:00:c0:df:fb:7f > > tun0: flags=8051 mtu 1492 > > inet 216.209.34.202 --> 216.209.34.1 netmask 0xffffff00 > > ppp0: flags=8010 mtu 1500 > > lo0: flags=8049 mtu 16384 > > inet 127.0.0.1 netmask 0xff000000 [snip] > :If you are doing NAT through PPP, you should probably use the '-nat' > :option in ppp(8) rather than the natd(8) daemon. > > well, I have put in the nat enable yes command into the ppp.conf and I don't > see ppp -auto -nat pppoe I see > 95 ?? Ss 0:01.50 ppp -auto -quiet pppoe > could it be something in my ppp.conf If you were to specify '-nat' on the command line or start it through the boot, % grep ppp_nat /etc/defaults/rc.conf ppp_nat="YES" # Use PPP's internal network address translation or NO. You would see that in ps. You will not see it in ps if you use a, nat enable yes In your ppp.conf. Do make sure the line is used for the connection you are using. If you are using the PPP NAT, I think you can lose your 'divert' rules in your firewall. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message